EU's Chat Control Proposal: Balancing Child Protection and Digital Rights

The proliferation of online child sexual abuse material (CSAM) and online grooming represent grave and escalating societal challenges requiring robust legislative intervention at the European Union level.

Existing national laws have proven insufficient to combat these cross-border criminal activities that exploit digital anonymity. In response, the EU has pursued a harmonized approach to prevent and combat online child sexual abuse.

This effort is underscored by the EU Strategy for a More Effective Fight Against Child Sexual Abuse, adopted in July 2020. The interim Regulation (EU) 2021/1232, initially valid until August 2024 and extended until April 2026, provided a temporary framework allowing voluntary detection of CSAM by online service providers.

At the heart of the EU's current legislative endeavors lies the "Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down rules to prevent and combat child sexual abuse". This is formally called the "Child Sexual Abuse Regulation" (CSAR), but has become widely known among critics as "Chat Control".

The proposal was introduced by European Commissioner Ylva Johansson on May 11, 2022. It aims to establish a comprehensive framework for detecting and preventing CSAM and online grooming across digital platforms.

The dual naming of the proposal—CSAR versus Chat Control—reveals a fundamental divergence in perception. Proponents use the official title to emphasize child protection, while opponents use "Chat Control" to highlight concerns about widespread surveillance and digital privacy erosion.

This article provides a comprehensive analysis of the EU's chat control proposal, examining its genesis, key provisions, technical aspects, legislative journey, and stakeholder positions. It also addresses controversies, criticisms, proposed amendments, and future outlook.

Ultimately, this analysis illuminates the central tension: balancing the imperative to protect children from online sexual abuse with fundamental privacy and data protection rights of all EU citizens.

The Genesis and Objectives of the Proposal

The Rising Threat of Online Child Abuse

The European Commission's push for the Child Sexual Abuse Regulation stems from the alarming escalation of online child sexual abuse. Reported cases surged dramatically from 23,000 in 2010 to over one million in 2020.

Moreover, over 60% of CSAM worldwide is reportedly hosted on servers within the EU, underscoring the Union's significant responsibility in addressing this global issue.

Current System Limitations

The Commission argues that relying on voluntary efforts by online service providers is inadequate. Engagement levels in combating abuse vary significantly among providers, creating loopholes that allow illegal activities to go undetected.

Companies can also unilaterally alter their policies, complicating authorities' ability to effectively prevent and combat child sexual abuse. This perceived inadequacy leads the Commission to believe mandatory obligations are essential.

Beyond more effective action, the Commission aims to provide legal certainty to service providers regarding their responsibilities in risk assessment and mitigation.

Specific Goals and Objectives

The European Commission has outlined several specific objectives:

• Effectively preventing and combating online child sexual abuse in all forms
• Providing clear legal certainty for hosting and communication service providers
• Harmonizing rules across the EU to address Digital Single Market fragmentation
• Striking a fair balance between protecting child victims and respecting other users' rights
• Establishing the EU Centre on Child Sexual Abuse for expertise, information sharing, and victim support

The proposal also aims to be consistent with existing EU policies and international instruments like the Council of Europe's Lanzarote Convention and the Budapest Convention on Cybercrime.

Building on Existing Frameworks

The current proposal builds upon existing legislation and initiatives:

• The ePrivacy Directive and its temporary derogation ("Chat Control 1.0")
• The EU Strategy for a More Effective Fight Against Child Sexual Abuse
• The EU Strategy on the Rights of the Child
• The proposed European Declaration on Digital Rights and Principles
• The Child Sexual Abuse Directive and interim Regulation (EU) 2021/1232

These foundations suggest a deliberate effort to create a continuous and increasingly robust legal framework for combating online child sexual abuse.

Key Provisions and Technical Aspects of the Proposal

Core Provider Obligations

The proposed Regulation establishes several key obligations for online service providers:

Mandatory Risk Assessments: Hosting services and communication providers must evaluate how their services might be used for CSAM distribution or child solicitation. These assessments should occur at least once every three years.

Risk Mitigation Measures: Following assessments, providers must implement targeted, proportionate, non-discriminatory, and effective measures to reduce the likelihood of abuse on their platforms.

Enforcement Mechanisms

The proposal includes several enforcement mechanisms:

Detection Orders: National authorities can issue orders requiring providers to detect CSAM or grooming attempts on their services using specified technologies.

Reporting Obligations: Providers must report potential abuse to the EU Centre, including mandatory information and notifying the affected user of their right to file complaints.

Removal and Blocking Orders: Providers must remove identified CSAM, and internet access providers may be required to block specific URLs hosting CSAM located outside the EU.

Data Preservation: Providers must preserve relevant content and data for specified periods (typically twelve months) or longer if directed by authorities.

This multi-layered approach combines proactive risk management with reactive measures and central coordination to combat online child sexual abuse.

The EU Centre on Child Sexual Abuse

A central component is the establishment of the EU Centre on Child Sexual Abuse—a decentralized agency facilitating the Regulation's implementation with several key functions:

• Receiving and analyzing reports from service providers
• Creating and maintaining CSAM indicator databases
• Providing expertise and reliable information on identified material
• Coordinating victim support services
• Facilitating cooperation among authorities, providers, and stakeholders
• Contributing to technology development for CSAM detection
• Collecting data for transparency reports and supporting audits

The Centre aims to create a more effective and consistent response across all EU Member States.

Technical Implications for Encrypted Communications

One of the most contentious aspects involves detection requirements for end-to-end encrypted platforms like WhatsApp and Signal.

The proposal seeks to implement "upload moderation," where content (photos, videos, links) would be scanned for CSAM before encryption and transmission. This has sparked debate about client-side scanning—performing scans directly on users' devices before message encryption.

The proposal contemplates AI-powered algorithms comparing content against known CSAM databases. Critics highlight the fundamental incompatibility between mandatory scanning and end-to-end encryption, which ensures messages are readable only by senders and intended recipients.

The technical challenges of either breaking encryption or scanning before encryption raise serious security and privacy concerns for all users.

Age Verification and App Store Restrictions

The proposal also considers measures related to age verification and app store restrictions:

• Communication services potentially used for grooming might need to verify users' ages
• This could lead to mandatory identification, undermining anonymous communication
• App stores might need to assess solicitation risks for their offered services
• High-risk apps might be restricted for users under 17 through age verification technologies

These measures raise concerns about anonymous communication (valued by whistleblowers and vulnerable individuals) and potential "digital house arrest" for young people who might be unfairly restricted from accessing various online services.

The Legislative Journey and Stakeholder Positions

The EU Legislative Process

The proposal is navigating the EU's complex legislative procedure involving both the European Parliament and the Council:

• Initial proposal by the European Commission: May 11, 2022
• Transmission to national parliaments for review
• Opinions from EU bodies (Economic and Social Committee, Committee of the Regions, etc.)
• Multiple readings in Parliament and Council with amendments and negotiations
• Expert consultation for delegated acts
• Commission empowerment for technical aspects and implementing acts
• Expected entry into force: 20 days after Official Journal publication
• Implementation: Six months after entry into force

This multi-layered process involves numerous institutions and suggests a potentially protracted path toward finalization.

European Parliament's Position

The European Parliament has significantly shaped the debate:

• The Civil Liberties Committee (LIBE) voted on November 14, 2023, to remove indiscriminate chat control provisions
• It favors targeted surveillance of specific individuals/groups only with reasonable suspicion
• Consistent voting to protect end-to-end encrypted communications
• Strong commitment to digital privacy and secrecy of correspondence
• Rejection of client-side scanning and mandatory age verification
• Support for targeted surveillance only with judicial warrants

The Parliament has adopted a more privacy-conscious approach than the Commission's initial proposal, prioritizing encryption protection and opposing mass surveillance of private communications.

EU Council Divisions

The Council of the European Union has struggled to reach consensus:

• Several postponed or failed votes indicate significant Member State divisions
• Opposition from Germany, Luxembourg, Netherlands, Austria, Poland, Estonia, Slovenia, Czech Republic, and Finland
• Support from Belgium, France, Italy, Portugal, Spain, and Ireland
• Other Member States' positions remain unclear or evolving
• The rotating Presidency (Belgium, Hungary, Poland) attempts to broker compromises

These divisions highlight deep disagreements on balancing child protection with privacy and security rights. Repeated failures to secure qualified majorities underscore substantial reservations about the proposal's privacy and security implications.

Other Stakeholder Reactions

Beyond EU institutions, the proposal has elicited strong reactions:

• Data Protection Authorities: The EDPS and EDPB warn about "de facto generalized and indiscriminate scanning" chilling free expression and undermining fundamental rights
• Tech Companies: Vocal opposition to mandatory scanning of encrypted messages, citing privacy erosion and security vulnerabilities. Signal and Proton have threatened EU market withdrawal if encryption breaking is mandated
• Privacy Organizations: Groups like Electronic Frontier Foundation, European Digital Rights, and Mozilla campaign against the proposal
• Child Protection Organizations: Diverse views—consensus on combating abuse, but concerns about mass surveillance effectiveness and false positives overwhelming resources
• Security Experts: Warnings about technical infeasibility and inherent security risks of breaking encryption and implementing client-side scanning at scale

These varied reactions highlight the complex nature of the issue and persistent disagreements on the most appropriate approach to achieving child protection online.

Controversies, Criticisms, and Amendments

Privacy and Data Protection Concerns

A primary concern involves potential infringement of fundamental rights:

• Mandatory scanning of private communications may constitute mass surveillance without specific suspicion
• Potential violations of EU Charter Articles 7 (privacy) and 8 (data protection)
• European Court of Justice precedents against generalized data retention suggest incompatibility with fundamental rights

Encryption and Security Vulnerabilities

Security experts and privacy advocates raise serious technical concerns:

• Scanning encrypted messages would require backdoors or vulnerabilities
• These could be exploited by malicious actors, including cybercriminals and state-sponsored entities
• This would compromise digital communications security for all users, not just suspects

Technical Feasibility and False Positives

Questions about implementation practicality include:

• Doubts about automated scanning technologies' accuracy, particularly AI-based systems
• Potential high false positive rates leading to unwarranted scrutiny of legal content
• Scenarios where innocent exchanges (parents sharing child photos) could be mistakenly flagged
• Potential overwhelming of law enforcement resources and erosion of system trust

Proportionality Principle

Critics argue the approach is disproportionate:

• Initial iterations constituted indiscriminate mass surveillance of all users
• This is disproportionate to the goal of combating child sexual abuse
• It infringes upon law-abiding citizens' fundamental rights

"Voluntary Consent" Issues

Revisions introducing "voluntary consent" have been criticized:

• In practice, "voluntary" consent could become de facto forced consent
• Users refusing scanning might lose access to core functionalities (sending images/videos)
• This effectively penalizes users for exercising privacy rights

Freedom of Expression and Anonymity

Broad surveillance could impact free speech:

• Mass surveillance might lead to self-censorship due to monitoring fears
• Age verification requirements could undermine anonymous communication
• This affects whistleblowers, journalists protecting sources, and those seeking sensitive support

Corporate Power Concerns

Some critics worry about surveillance power delegation:

• Significant surveillance authority granted to private companies, often non-EU based
• Raises questions about accountability, oversight, and potential misuse

Proposal Evolutions and Amendments

In response to criticism, the proposal has evolved:

• Shift from "chat control" (scanning all communication) to "upload moderation" (scanning visual content and URLs)
• Introduction of "voluntary consent" for image/video scanning
• European Parliament amendments emphasizing targeted surveillance with judicial warrants
• Removal of text/voice scanning in some versions
• Persistent disagreements about scanning obligations scope and nature

Despite these changes, many critics view them as cosmetic rather than addressing core privacy, security, and surveillance concerns.

Current Status and Future Outlook

Current Legislative Status

As of early 2025:

• The regulation remains under active negotiation between Parliament and Council
• Parliament adopted its position in November 2023: protect encryption, favor targeted surveillance
• The Council faces significant hurdles reaching a unified position
• A scheduled Council vote was withdrawn on June 21, 2024, lacking necessary majority
• Subsequent revival efforts under different Presidencies face challenges
• The interim Regulation allowing voluntary scanning extended until April 2026

This deadlock highlights fundamental difficulties reconciling competing values and interests in this sensitive issue.

Recent Developments

Efforts to find a path forward continue:

• Reports of attempts to reintroduce indiscriminate scanning as "upload moderation"
• New proposals like the Polish Council Presidency's suggestion for voluntary scanning
• Continued opposition from privacy advocates and technology companies
• Some firms reiterating warnings about EU service withdrawal if encryption scanning is mandated
• European Ombudsman criticism of "revolving door" between Europol and technology lobbyists promoting chat control

These developments suggest continued push for encryption-impacting measures despite significant opposition, with concepts like "upload moderation" and "voluntary consent" appearing as strategic attempts to overcome resistance.

Future Prospects

The proposal's future remains uncertain:

• Significant hurdles for law adoption remain
• Parliament and Council must reconcile fundamentally different positions
• Upcoming Council Presidency changes could shift negotiation dynamics
• Ongoing debates about technical feasibility and effectiveness will influence outcomes
• The central challenge: finding a solution effectively protecting children while respecting privacy rights and ensuring digital security

The possibility remains that without viable consensus, the proposal could face substantial amendments or withdrawal. Deep divisions within EU institutions and Member States, coupled with strong stakeholder opposition, suggest an arduous path requiring substantial compromises or fundamental reevaluation.

Conclusion

The EU's chat control proposal represents a significant legislative effort addressing online child sexual abuse. This analysis highlights the complex interplay between protecting vulnerable children and preserving fundamental privacy and data protection rights.

The proposal has ignited vigorous debate, exposing deep divisions among EU institutions, Member States, and stakeholders. Key controversies center on mandatory scanning of private communications, particularly on encrypted platforms, potentially leading to mass surveillance, undermined security, and high false positive rates.

The European Parliament generally advocates a more privacy-centric approach with targeted surveillance and encryption protection. Meanwhile, the EU Council struggles to find unity, with persistent disagreements among Member States.

The legislative journey has been marked by delays, postponed votes, and ongoing compromise efforts. Concepts like "upload moderation" and "voluntary consent" represent attempts to address criticism, but many remain skeptical about whether these revisions adequately safeguard fundamental rights.

The perspectives of tech companies, privacy advocates, child protection organizations, and security experts underscore the issue's complexity, with no easy consensus on the most effective and rights-respecting path forward.

The future remains uncertain. A final agreement requires delicately balancing child protection with fundamental rights and digital security. Ongoing negotiations must consider technical feasibility, potential effectiveness, and broader societal implications of adopted measures.

The challenge lies in crafting a solution that truly safeguards children without unduly infringing upon the privacy and security of most users, ensuring a digital environment that is both safe and rights-respecting.

Timeline of Key Events in the EU Chat Control Proposal

Summary of Stakeholder Positions on Key Aspects